Escolar Documentos
Profissional Documentos
Cultura Documentos
Institutions
On
Finance Revenue
November 2010
Office of the Superintendent of Financial Institutions Canada
Table of Contents
1. Background .................................................................................................................3
3. Conclusion...................................................................................................................7
Management Response..........................................................................................................16
1. Background
Introduction Internal Audit conducts assurance work to determine whether Office of the
Superintendent of Financial Institutions Canadas (OSFI) risk management,
control, and governance processes, as designed and represented by
management, are adequate to ensure risks are appropriately identified and
managed.
The audit of Finance - Revenue was approved by the OSFI Audit Committee
and the Superintendent for inclusion in the OSFI 2009-10 Internal Audit Plan.
This report presents the results of that audit based on audit work completed at
the end of May 2010. The audit recommendations will support Finance to
continuously improve their control framework for revenue processing.
This report was presented to the OSFI Audit Committee and approved by the
Superintendent on November 9th, 2010. The Assistant Superintendent,
Corporate Services, and Finance senior management, who will provide their
management response within this report, have also reviewed it.
Context
The Office of the Superintendent of Financial Institutions Canada (OSFI)
recovers its costs through base assessments, pension plan fees, cost-recovered
services, and user fees and charges.
OSFIs ability to process revenue transactions and charge the Federally
Regulated Financial Institutions (FRFI), Regulated Private Pension Plans
(RPPP) and others is essential in OSFI being able to recover its expenses and
pay employees and operating expenses on a timely basis. In addition, the
Superintendent and the Chief Financial Officer, in part, rely on internal
controls over revenue transaction processing in order to provide assurance on
OSFIs internal controls as envisioned under the Treasury Board Policy on
Internal Control and Policy on Financial Management Governance.
OSFIs Finance Division (Finance) was re-structured in 2009-10 based on a
2009 study commissioned on the divisions workload in terms of volumes
experienced, conversion of financial and accounting policies to IFRS, staff
complement, experience and competency needs, and process improvements
needed.
For the 2009-10 fiscal year, OSFI had Revenue of some $102 million ($92
million, 2008-09). The revenue was composed of base assessments, cost-
recovered services, pension plan fees and user fees and charges as set out in
Note 2 - Revenue & spending authority, Note 4 - Significant accounting
policies and Note 17 - Revenue (and expenses) by Business Activity of
OSFIs 2009-10 Financial Statements.
1. Background, Continued
Revenue by Business Activity (,000)
Audit
Scope The audit covered the Finance - Revenue control framework for the 2009/10
fiscal year including the implementation of a new Final and Interim
Assessment Calculation Tool (FIACT).
Audit Scope
(continued) The scope included:
Improvements implemented during 2009-10 and those planned for
2010-11 in the areas such as conversion from Generally Accepted
Accounting principle (GAAP) to International Financial Reporting
Standards (IFRS), implementation of a new Final and Interim
Assessment Calculation Tool (FIACT), and restructuring of the
Finance Division.
Revenue processes from initiation of revenue streams, calculation of
assessments, fees, and charges, posting of invoices to Accounts
Receivable sub-ledger and the general ledger, and internal reporting as
well as billing adjustments and late & erroneous filing penalties.
OSFI revenue policy and applicable Government and GAAP policy
and accounting requirements.
Matters outside of the scope
A review of the information/data and related systems used for
initiating revenue transactions, except a review of completeness and
accuracy of the source information/data extraction.
A review of IT operations environment and related controls, known
as a general IT environment review.
A review of the general ledger and Accounts Receivable sub-ledger
functions, except posting of billings/ invoices, and control/balancing
of receivables/revenue to the general ledger.
Audit
Approach
The audit was conducted in accordance with the Institute of Internal Auditors
International Standards for the Professional Practice of Internal Auditing,
consistent with the Treasury Board Policy on Internal Audit.
The audit criteria, as set out in Appendix A - Revenue Control Criteria, were
used for assessing the revenue policy, processes, and controls.
The audit work was conducted on a collaborative basis involving information
gathering, interviews with management and staff involved in supporting
processing of revenue transactions, examination of documents, testing of key
revenue processes, and interviews with Finance Division management & staff
and others involved in revenue processing.
To facilitate our work, we prepared revenue process maps (flowcharts) and
control profiles for some nine processes. The control profiles are tables
that match control objectives - completeness, accuracy, authorization and
review and approve - to the revenue processing phases - transaction initiation,
data extraction from supporting databases, and processing including
calculations, uploading of transactions (interface) and posting to the Accounts
Receivable and the General Ledger.
These revenue process maps and control profiles have been given to
Finance for use in their initiative of documenting existing revenue processes
and controls, and the evaluation and design of check and balancing
procedures and controls consistent with TBS Policy on Financial
Management Governance, Policy on Internal Control and Policy on Internal
Audit as well as generally recognized business application control standards
(e.g. Institute of Internal Auditors, Information Systems and Control
Association).
3. Conclusion
Conclusion
Revenue process controls and monitoring practices are not adequate to ensure
revenue transactions are completely and accurately processed and recorded.
As a result, there is limited assurance that base assessments and pension plan
fees are accurate and complete, and allocated among the Federally Regulated
Financial Institutions and Federally Regulated Pension Plans accounts
respectively and that all revenue transactions are posted to the Accounts
Receivable.
Processes and controls were not documented and evidenced as to
performance. Because some controls are executed during an annual process,
the lack of documentation and retention of supporting reports reduces the
sustainability of the controls. Some key controls were not in place such as
balancing source data to the corporate records.
Without a detailed review of risk and control, management may not identify
the appropriate preventive, detective, and monitoring controls. Achieving
compliance with reporting on internal controls as prescribed by the TBS
Policy on Financial Management Governance and Policy on Internal Control
will be challenging.
A 2009 independent study of the nature and volume of finance and
accounting processing and reporting needs provided Finance with a road map
for establishing a renewed Finance group. The Executive approved the study
report, briefed the Audit Committee on its results and actioned the steps
recommended in the study.
Finance has made improvements and has initiatives planned or underway to
address the revenue process and control concerns identified in our audit. We
also note that Finance has put in place the resources needed to complete these
multi-teamed initiatives.
It is essential that Finance establish a formal revenue risk & control
assessment process with an accompanying continuous improvement program,
such that management oversight, co-ordination of the improvement
initiatives, and the design of control frameworks is managed on a
consolidated basis.
3. Conclusion, Continued
Conclusion
(continued)
A focused effort is required in:
We wish to recognize the excellent rapport and exchange of views with all
involved in the audit. The depth of the review and focusing on what matters
would not have been possible without the support received throughout the
audit.
____________________________ _____________
Chief Audit Executive, A&CS Date
4.1 Observation: There is not a detailed risk and control review of the
Risk revenue process to ensure processes and controls are adequate.
Management
OSFIs Enterprise Risk Management (ERM) policy and processes are used
for the identification, assessment, and mitigation of risk at the Sector /
Division operations level with a roll up into an overall OSFI risk assessment
to the Executive. Key risk areas and actions taken are reviewed quarterly by
the Executive as well as included in OSFIs Annual Report. Within the
Corporate Services Sector, Finance level risks are identified, evaluated, and
mitigation steps are undertaken with quarterly updates and reporting.
Finances self-assessment of existing revenue processing identified areas of
concern such as undocumented processes and limited evidence that controls
were being carried out. Through interviews with Finance managers & staff
and a review of existing documentation, we confirmed Finances self-
assessment of undocumented revenue processes and existing controls.
In 2010-11, Finance will be implementing significant changes in the areas of
accounting policies as well as reviewing and documenting its revenue
processes and key controls. The Director of Finance indicated that such a
program would be established by the end of the year.
Without a detailed review of risk and control over revenue processing,
management may not identify the appropriate preventive, detective, and
monitoring controls. Achieving compliance with reporting on internal
controls as prescribed by the TBS Policy on Financial Management
Governance and Policy on Internal Control may become challenging.
4.2
Accountability Observation: There is not a designated individual who is responsible for
each revenue process.
Although Finance recognizes that it is responsible for revenue processing,
there is not a designated individual who is responsible for each revenue
process. Key to strengthening revenue processing and related controls is
Finance assigning a designated owner for each revenue process, who is
responsible for monitoring and oversight of the revenue processing and
controls from end-to-end.
Finance may not be able to determine if completeness, accuracy and
authorization, as well as management review and approval controls are
adequate to mitigate identified risk.
Recommendation: Assign a designated owner for each revenue process.
4.3
Development Observation: There is a need for training for those involved in initiation,
and training processing, reporting, and managing some nine revenue processes
program including Sectors and Divisions that initiate revenue transaction.
It is important for Finance and other Sectors and Divisions to be able to talk
the same processing and control language and understand their role in
processing revenue transactions. During the audit, Finance managers and
staff showed a strong commitment to implementing development programs
including cross-training of technical processing and financial control
practices and techniques.
A 2009 independent study of the nature and volume of finance and
accounting processing and reporting needs provided Finance with a road map
for establishing a renewed Finance group and for filling key positions. The
positions of Manager of Financial Operations and of Financial Reporting &
Systems and Manager of Financial Policy and Special Projects have been
filled bringing valued knowledge and experience on accounting and financial
systems and related controls. With new managers and staff, it is essential that
Finance identifies and documents the technical (processing and controls) skill
requirements and put in place development and cross-training programs to
ensure the transfer of knowledge.
During 2009-10, Finance implemented informal training including cross-
training to strengthen operation capacity and staff. For 2010-11 cross-training
of staff was incorporated into Goal Commitment Documents. Finance is
4.3
Development
committed to formalizing development and cross-training programs for most
and training positions during 2010-11 based on job positions jointly developed with
program Human Resources.
(continued)
Lack of training may result in staff not having the necessary processing
knowledge to ensure that operations related to revenue transactions are well
supported and understood by all, so that revenue is accurately recorded in
Accounts Receivable and accurately reported in management reports and un-
audited quarterly financial statements.
4.4 Observation: The nature and extent of existing controls are not
Control process documented and evidence of performing them is very limited.
Finances self-assessment of existing processes identified control concerns
with respect to undocumented processes and controls and lack of evidence
that processing tasks and control checks were being carried out. The 2009
independent study confirmed the need for process and control improvements.
The audit similarly noted the limited control documentation and limited
evidence of performance. Specific control weaknesses are detailed in this
report under this observation.
Finance has taken aggressive steps to remedy the situation. Finances
complement of staff has been strengthened and a Manager, Financial Policy
and Projects, has been recruited with responsibility for developing and
maintaining corporate financial and internal control policies and procedures.
To support this initiative, a task force is being formed, with support of
external resources and expertise, to document financial / accounting business
systems such as revenue processes, and to put in place appropriate processing,
reviews, approvals, and monitoring controls as needed.
Some controls over posting of user fees were operating effectively for
example;
Posting of a user fee was supported with documentation from the
originating department;
There was matching of posting documents or revenue calculations to
printed invoices;
Onscreen data entry was compared visually to the posting document;
and
4.4 Input screens had drop down menus to capture the information needed
Control process for posting the transaction to Accounts Receivable.
(continued)
However, controls over both user fees and base assessments, discussed further
in the report, were not effective because of the lack of description of the
controls and evidence of performance and in some cases weak design
determined through discussion with staff .
Without a clear understanding of the revenue control framework and required
controls, process documentation and evidence of control performance, there is
no assurance that all potential user fees are charged and base assessments are
properly calculated and allocated and revenue transactions are posted to the
Accounts Receivable and the General Ledger.
4.4.2
Base
Observation: There was no evidence that spreadsheets supporting base
assessment assessment calculations were reviewed and controls performed verified.
calculations
For base assessment, processing spreadsheets were prepared by Finance staff
and reviewed by managers. However, the steps followed to verify and review
the processing, calculations and amounts were not documented. Verification
and review procedures such as printing of show formula, trace precedents,
and trace dependents was not evident.
4.4.3
Final and
It is important that FIACT be fully documented including: detailed run
Interim instructions with control points; verification of input, processing and output
Assessment data; and assessment reports to support the Accounts Receivable and the
Calculation General Ledger amounts. In addition, FIACT system documentation would
Tool (FIACT) be useful in determining the procedures and control requirements.
Cost recovery -
cost allocation
Through interviews with Finance staff and examination of supporting
model documents, we found that the process was well structured and managed.
(continued) However, there is no documentation and evidence of the process and controls
applied. There is a risk that the base assessments charged to financial
institutions may not be properly allocated.
4.4.6
System Observation: Procedures and controls to support the operation of the
Operations underlying systems are not fully documented to ensure accuracy of
Support system output.
Management Response
Overview This report has been reviewed by the Director of Finance, Managing Director,
Finance and Corporate Planning, and the Assistant Superintendent, Corporate
Services, who acknowledge its observations and recommendations.
The recommendations will support Finance with its work to documenting the
revenue processes and to put in place appropriate processing, reviews,
approvals, and monitoring controls as needed.
Response We thank the audit team for their collaborative approach in conducting the
revenue audit. Overall, we acknowledge the observations of the audit and
management has taken steps to address the report's recommendations.
Management agrees that documented evidence of its review and approval
steps for certain billing processes needs to be strengthened and retained in its
records.
Response
(Continued)
Management confirms that thorough management review of billing processes
did occur and for the base assessment billing process, which represents the
majority of OSFI's revenues (80%), evidence of management review exists.
OSFI continues to be transparent about its base assessment billings by
providing detailed information to financial institutions with their annual
assessment so that they may validate the calculation of their invoice. As well,
since 2000-2001, OSFI's financial statements are audited annually by the
Office of the Auditor General, which provides assurance that there are no
material misstatements or errors in the financial statements. OSFI has
received an unqualified audit opinion each year since 2000-2001.
We accept the observations as they relate to documentation of processes,
procedures and internal controls, as well as cross-training of staff within the
Finance division and the training of staff within the business lines where
some revenue transactions originate. We also acknowledge the need to
include evidence of management review as part of our processes. The
addition of five new resources in Finance Divisions staff complement during
2009-2010 will greatly enable the needed aforementioned improvements.
There are two main areas where Finance has already started the work to
address the audit findings and recommendations:
1. The documentation of revenue processes and controls is currently
underway as part of OSFIs ongoing transition to International Financial
Reporting Standards (IFRS) through the development of policies and
procedures for each of the IFRS standards affecting OSFI, and as part of
OSFIs ongoing implementation of the Treasury Board Policy on Internal
Control (PIC). OSFI must meet the policys requirements with respect to
internal controls over financial reporting by March 31, 2011.
The Finance Division is committed to taking advantage of the work
performed by Internal Audit to pursue the documentation of various processes
not only just within the different Revenue streams but across all Sectors and
Divisions business lines. The Finance Division has retained the services of an
external consultant who will help with the implementation the PIC, and
management is confident that this work will address a number of observations
in the audit report.
2. Targeting cross-training to certain Finance team members and training of
staff in other Sectors and Divisions where revenue transactions originate.
This training will include adequate controls and oversight in order to ensure
that staff and management fully understand and exercise such controls and
oversight, and in accordance with the documented processes.
Response
(Continued)
Management is committed to ensuring adequate internal controls are in place
within the Finance Divisions revenue processing to ensure risks are
addressed in a balanced way. As noted, a number of initiatives have already
been undertaken to address some of the observations, others will be addressed
shortly, while a few will require senior management and Executive
Committee endorsement. For example, changes to policies and process
changes across or within Sectors and Divisions to strengthen reporting and
reconciliation practices.
Over the past year, the Finance Division has been successful in staffing a
number of new and existing indeterminate positions in order to implement the
reorganization plan presented to the Executive Committee in the summer of
2009. This has proven to be of great value since we now have a full
complement of staff in the Finance Division, all of which are committed to
making a full contribution to the team.
Elements Components
Risk Management External and internal risk related to revenue are identified, assessed, mitigation/controls
are in place, consistent with ERM policy
A structure and process exists for monitoring and managing risk /issues as to the accuracy,
completeness and integrity of revenue information, processing and reporting
Corporate and finance risk management is incorporated into revenue risk management
and cascade down to management and staff